; ' Experts are warning 1 
; about viruses in ;• 
/infected attachments 

I By David L.Wilson 

. Mercu ry News \\*a sh i n gi o n B u rea u 

■ WASHINGTON — The holiday season is often a 
time when computer users pass around amusing 
electronic animations via e-mail. Although most of 

-.-.these attachments are harmless, some may hide 
destructive computer virus- 

- ' es; 

Indeed, anti-virus watch- 
dogs identified a new virus 
: ; T - this week that masquerades 
as an innocuous bunch" of 
digital photos but actually 
plants a time bomb that will 
erase the computer's hard 
drive on Jan. 1,2000. 

Because that's the same 
date that the Y2K bug is ex- 
pected to cause many comput- 
er systems to crash, the virus 
might fool users into believing 
they have a Y2K problem. 

Virus fighters expect more 
viruses linked- to Y2K to 
emerge as Jan. 1 approaches, 
and they are once again beg- 
ging computer users to avoid 
opening e-mailed attach- 
ments. 

\ ■ - "We're telling people to be 
very wary of electronic Christ- 
mas cards/ 1 said Sal Viveros, a 
virus expert with Network As- 
sociates Inc., based in Santa Clara 
: The Mypics worm, as tliis latest threat is called 
arrives attached to what appears to be e-mail from 
a friend or associate that says, "Here's some pic- 
tures for you!" 

Opening the attached file, Pics4You.exe, will in- 
fect your computer with the virus, which will at- 
See VIRUSES, Page 3C 
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^Many computer viruses' travel as innocent : lboking files'attacried to; 1 
' electronic mail. With the holiday season upon us; people often e-mail : 
electronic greetings and photographs to friends and family members, 

' but hot every file that cbrries.with an e-mail is safe.This year'poses^ 
- special hazards, according to^anti-virus experts, because many.'yirus 

^writers may use UVeY2K t>ug.to hide their mischief. This week; anti- - 
i .virus companies detected a" new virus, named Mypics,- that could; 
•: : :erase a computerVh"ard"drive on Jan. 1.'/> - * :Vv> -f-^- - 



WORM ARRIVES .:: 
You get ah e-mail with ah * 
attachment named Pics4You.exe' 
saying,, "Here's some pictures' for 
you!" \ 



2 WORM REPRODUCES 
If you open the attachment, the worm 
will send itself to 50 people in your 
Microsoft Outlook address book. It 
also changes the home page of your 
Microsoft Internet Explorer browser 
to a pornographic site. 



WORM WAITS 

On Jan. 1, 2000, the worm will overwrite 
key system data. The user will see an 
apparent Y2K-related error when 
starting up the computer. The worm will 
then destroy all data on the hard drive. 




HOW TO PROTECT YOURSELF 

Avoid opening attachments to e-mail if possible. If you want the attachment 
call the sender end verify its contents before opening it. Update virus 
protection software weekly and use it to scan attachments. Back up critical 
data regularly. 



Source: Symantec Corp. 
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tempt to mail itself to 50 people it 
finds in your Microsoft Outlook e- 
mail address book. It will also 
change Uie home page of your Mi- 
crosoft Internet Explorer Web 
browser to a pomograpluc site. 

Hie real damage occurs Jan. 1, 
when the \inis will change the com- 
puter's most basic software and at- 
tempt to erase the hard drive. 

The inavasing frequency of alerts 
relating to things like electronic vi- 
ruses is prompting renewed calls for 
safe computing, but few experts ex- 
pect users lo change their habits. 

"It would be great if everybody 
followed the rule: Never open e-mail 
attachments if you can help it ," said 
Carey Nachenberg, chief researcher 
at Symantec's antiviral research 
center. "Hut I don't think they will." 

In general, just looking at an infec- 
ted e-mail can't hurt; users have to 
do something else to activate the vi- 
ms and infect their system. Typical- 
ly, a virus comes as an attachment to 
e-mail, such as a document that can 
be read only with a word processor 
like Microsoft Word. 

Clicking on the attachment to 
read the document can infect the us- 
er's maclune with any vims that was 
lurking on the senders maclune. A 
virus is dangerous because it can al- 
ter or destroy data. 

Until recently, experts advised us- 
ers to simply avoid opening attach- 
ments sent by people they' didn't 
know. Unfortunately, the most trou- 
blesome viruses today spread by 
fooling people into believing the 
document was sent by a friend. 

For instance, Mypics attempts to 
mail copies of itself to anyone in the 
user's e-mail address book. Anyone 
receiving such a missive from, say, 
their brother, might open that at- 
tachment without dunking about it 

Most software vendors are aware 
of the problem and take steps to get 
around it For instance, Blue Moun- 
tain Aits, a purveyor of electronic 
greeting cards, doesn't send the card 
via e-mail, just a Web address, wlueh 
can be accessed though any brows- 
er. 

Jared P. Schutz, the company's ex- 
ecutive director, said lliat's Uie only . 
way to be safe. "I would highly rec- 
ommend that people avoid opening 
attached files, even from people that 
they. know," he said. 



That's the standard advice, but no- 
body expects attachments to disap- 
pear tomorrow, despite the warn- 
ings. 

"I can't tell you whether we've still 
got a lot of people who just haven't 
gotten the message — newbies — or 
whether it's people who should 
know better but do it anyway," said 
Sandra Sparks, director of Uie Ener- 
gy Department's Computer Incident 
Advisory Capability, wliich works to 
ensure the secuiity of government 
computer systems. "Maybe it's Uie 
same kind of thing that happens with 
people who don't wear a seat belt." 

Although many corporations scan 
all incoming e-mail and destroy any 
known virus before it's delivered in- 
to an employee's mailbox, very few 
Internet service providers offer such 
a feature, largely because examining 
every single data packet that flows 
into the pipes can slow service. 

So for now, anti-virus protection 
is largely the responsibility of indi- 
viduals. 

To protect against all viruses, ex- 
perts say virus protection software 
should be updated weekly. 



Attaclunents generally should be 
avoided. If you receive an attach- 
ment that you want, contact die 
sender and ask if it was deliberately 
sent If possible, ask that the infor- 
mation in the attachment be copied 
and pasted into a plain e-mail file 
and resent, or posted on a W eb page. 

If that's not possible and you must 
open Uie attacluuent, make sure it's 
scanned first with an updated anti-vi- 
ral program. 

Even with such precautions, it's 
still possible for a new, fast-moving 
virus to get through your defenses. 
The only real protection users have 
is to regularly make copies of the da- 
ta on their hard drive. 

"Back up your critical stuff at 
least once a week," said Sparks. "I 
know that's annoying, and I know it 
takes time. But compare Uiat 
amount of time vs. the amount of 
time you'd spend trying to rebuild 
your system, or your company, and 
that's a very small investment" 



Contact David Wilson at (202) 
388-6020 or at 
dwiIson@sjmercu)'y.covL 
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Step 1: 

A first computer 203 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-mail system 205 thereby creating 
a list of e-mail users 206. 
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Step 2: 

The first computer 203 loads and 
executes the second program that 
sends the list of e-mail users 206 
to a second computer 208. 
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Step 3: 

The second computer 208 loads and 
executes the third program that: 

specifies within the mock computer virus 

attachment 202 the e-mail 

address of the third computer 210 

as the recipient of the e-mail that is sent 

if the mock computer virus attachment 202 

is opened. 

sends the list of e-mail users 206 to 
the third computer 210. 



and sends an e-mail with the mock 
computer virus attachment 202 
to each e-mail address on the list i.e. 
each user 211. 
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Step 4: 

The third computer 210 loads and 
executes the fourth program which 
receives the e-mails from the 
users 21 1 that open the mock 
computer virus attachment 202 
and creates a new list of e-mail 
users with their respective e-mail 
addresses. 

The new list of e-mail users that 
opened the mock computer virus 
attachment 202 and those that did 
not open it, may be displayed as 
results 212 on a web page 214 or 
other report on the network. 
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Step 1: 

An e-mail user behavior 
modification server 301 
provides a program 302 
that can be downloaded to 
a computer 303. 
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Step 2: 



The program 302 extracts a 
list of e-mail addresses 304 
from the e-mail system 305. 
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Step 3: 

The program 302 sends the 
list of e-mail addresses 304 
from the computer 303 
to the e-mail user behavior 
modification server 301 . 
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Step 4: 

The e-mail user behavior 
modification server 301 sends an 
e-mail with the mock computer virus 
attachment 306 to each e-mail 
address on the list i.e. each user 307. 
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Step 5: 

The mock computer virus attachment 306 

will send an e-mail to the e-mail 

address of the e-mail user 

behavior modification server 301 

if the mock computer virus attachment 306 

is opened. 



The e-mail user behavior modification 
server 301 receives the e-mails from 
users 307 that open the mock computer 
virus attachment 306 and compiles a list 
of users 308 that opened the mock 
computer virus attachment 306. 
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Step 6: 

The list of users that opened 
the mock computer virus attachment 306 
and the users that were sent the e-mail 
with the mock computer virus attachment 306 
but did not open it are displayed as 
results 308 on a web page 309 or 
sent as an e-mail to the administrator / 
management 310. 
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Step 1: 

An e-mail user behavior 
modification server 401 
provides a program 402 
that can be downloaded to 
a computer 403. 
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Step 2: 



The program 402 extracts a 
list of e-mail addresses 404 
from the e-mail system 405. 
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Step 3: 

The computer 403 sends an 
e-mail with the mock computer virus 
attachment 406 to each e-mail 
address on the list i.e. each user 407. 
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Step 4: 



The mock computer virus attachment 406 
will send an e-mail to the e-mail E-mail User Behavior 

address of the e-mail user Modification Server 401 

behavior modification server 401 A ^ 

if the mock computer virus attachment 406 
is opened. 



The e-mail user behavior modification 
server 401 receives the e-mails from 
users 407 that open the mock computer 
virus attachment 406 and compiles a list 
of users that opened the mock 
computer virus attachment 406. 
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Step 5: 

The list of users that opened E-mail User Behavior 

the mock computer virus attachment 406 Modification Server 401 
and the users 407 that were sent the e-mail 
with the mock computer virus List 
attachment 406 but did not open it 
are displayed as results 408 on a 
web page 409 or sent as an e-mail to 
the administrator / management 410. 
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Step 1: 



A first computer 503 loads and executes 
the first program which extracts a 
set of e-mail addresses from the 
e-mail system 505 thereby creating 
a list of e-mail users 506. 

The first computer 503 informs 
the fourth computer 515 
of the number or type of 
e-mail addresses 516 it 
extracted. Number or 

ype of E-mail 
Addresses 516 




List of E-mail Users 506 
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Step 2: 

The first computer 503 loads and 
executes the second program that 
sends the list of e-mail users 506 
to a second computer 508. 



The fourth computer 515 
gives authorization 517 to the 
first computer 503 to send 
the list of e-mail users 506 
to the second computer 508. 
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